name: PR Tests (Requires Approval) on: # Manual trigger only - requires admin to click "Run workflow" button workflow_dispatch: inputs: pr_number: description: "PR number to test (leave empty for current branch)" required: false type: string # Prevent concurrent test runs on the same PR concurrency: group: pr-tests-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true permissions: contents: read jobs: # Check if pipeline should be skipped based on first line of commit message check-skip: runs-on: ubuntu-latest permissions: contents: read outputs: should-skip: ${{ steps.check.outputs.should-skip }} steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check if pipeline should be skipped id: check run: | COMMIT_MESSAGE=$(git log -1 --pretty=%B) FIRST_LINE=$(echo "$COMMIT_MESSAGE" | head -n 1) if [[ "$FIRST_LINE" == *"--skip-ci"* ]]; then echo "should-skip=true" >> $GITHUB_OUTPUT else echo "should-skip=false" >> $GITHUB_OUTPUT fi # This job shows up immediately and waits for approval run-tests: needs: [check-skip] if: needs.check-skip.outputs.should-skip != 'true' name: Run Tests (Awaiting Approval) runs-on: ubuntu-latest # Environment with protection rules - requires admin approval # Note: You need to configure this environment in repo settings environment: name: pr-testing url: ${{ github.event.pull_request.html_url || github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} permissions: contents: read pull-requests: write steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: "1.26.2" - name: Set up Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "25" - name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" - name: Add comment to PR if: github.event.pull_request.number env: GH_TOKEN: ${{ github.token }} run: | gh pr comment ${{ github.event.pull_request.number }} --body "๐Ÿงช Test run approved and starting... **Test Suite Includes:** - ๐Ÿ“ฆ Core Build Validation - ๐Ÿ”Œ MCP Test Servers Build - ๐Ÿ”ง Core Provider Tests - ๐Ÿ›ก๏ธ Governance Tests - ๐Ÿ”— Integration Tests [View workflow run โ†’](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" - name: Make test script executable run: chmod +x .github/workflows/scripts/run-tests.sh - name: Run tests env: # API Keys for provider tests MAXIM_API_KEY: ${{ secrets.MAXIM_API_KEY }} MAXIM_LOGGER_ID: ${{ secrets.MAXIM_LOG_REPO_ID }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }} AWS_ARN: ${{ secrets.AWS_ARN }} BEDROCK_API_KEY: ${{ secrets.BEDROCK_API_KEY }} AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }} AZURE_API_KEY: ${{ secrets.AZURE_API_KEY }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }} MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }} PARASAIL_API_KEY: ${{ secrets.PARASAIL_API_KEY }} PERPLEXITY_API_KEY: ${{ secrets.PERPLEXITY_API_KEY }} ELEVENLABS_API_KEY: ${{ secrets.ELEVENLABS_API_KEY }} SGL_API_KEY: ${{ secrets.SGL_API_KEY }} CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }} COHERE_API_KEY: ${{ secrets.COHERE_API_KEY }} FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }} VERTEX_CREDENTIALS: ${{ secrets.VERTEX_CREDENTIALS }} VERTEX_PROJECT_ID: ${{ secrets.VERTEX_PROJECT_ID }} HUGGING_FACE_API_KEY: ${{ secrets.HUGGING_FACE_API_KEY }} REPLICATE_API_KEY: ${{ secrets.REPLICATE_API_KEY }} REPLICATE_OWNER : ${{ secrets.REPLICATE_OWNER }} RUNWAY_API_KEY : ${{ secrets.RUNWAY_API_KEY }} run: | echo "Running tests for PR #${{ github.event.pull_request.number || 'manual run' }}" ./.github/workflows/scripts/run-tests.sh - name: Report test results if: always() && github.event.pull_request.number env: GH_TOKEN: ${{ github.token }} run: | if [ "${{ job.status }}" = "success" ]; then gh pr comment ${{ github.event.pull_request.number }} --body "โœ… **All tests passed successfully!** All test suites have completed without errors. This PR is ready for review. [View detailed results โ†’](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" else gh pr comment ${{ github.event.pull_request.number }} --body "โŒ **Tests failed** One or more test suites failed. Please review the failures and update your PR. [View detailed results โ†’](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" fi